PCI-DSS: Your CDE may be getting bigger



In December, the PCI Security Standards Council released guidance around scoping and network segmentation for card data environment (CDE) assets. In their own words:

“Many organizations struggle to understand where PCI DSS controls are required and which systems need to be protected. This document provides guidance to help organizations identify the systems that, at a minimum, need to be included in scope for PCI DSS. Additionally, the document provides guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls.”

The guidance goes on to visualise a scoping process, considering each category of system in turn:


I believe it’s worth highlighting the ‘broadness’ of the “Connected to OR Security Impacting Systems”. These are cases where the:
  • System component is on a different network (or subnet or VLAN), but can connect to or access the CDE (e.g., via internal network connectivity).
  • System component can connect to or access the CDE via another system—for example, via connection to a jump server that provides access to the CDE).
  • System component can impact configuration or security of the CDE, or how CHD/SAD is handled— for example, a web redirection server or name resolution server.
  • System component provides security services to the CDE—for example, network traffic filtering, patch distribution, or authentication management.
  • System component supports PCI DSS requirements, such as time servers and audit log storage servers.
  • System component provides segmentation of the CDE from out-of-scope systems and networks—for example, firewalls configured to block traffic from untrusted networks.
The guidance states that these systems: 
  • Are in scope for PCI DSS. Even where a connection is limited to specific ports or services on specific systems, those systems are included in scope to verify that the applicable security controls are in place.
  • Must be evaluated against all PCI DSS requirements to determine the applicability of each requirement.
  • Must not provide an access path between CDE systems and out- of-scope systems.


In my experience many organisations’ employ jump-posts or bastions heavily in order to facilitate access to their CDE, with assets on one side being clearly in-scope and assets on the other being strictly out of scope. With this intermediary many organisations then avoid the need for dedicated CDE workstations. If we work to the assumption then that this guidance will add to the requirements then this will represent a fundamental shift (albeit for the better) in improving the overall the security posture of many organisations. It will also require many organisation to seriously reconsider their approach to managing CDE assets.


Source: 
https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf

Popular posts from this blog

Splunk Security Cheat Sheet

Image
Apart from being a source of all too frequent and embarrassing typos, Splunk is a big data platform which allows you to interrogate data and present results is a variety of contexts and visualisations. I've been using it for a little over 12 months, self teaching or Googleing as I go, predominantly to sift through the terabytes of logs from various applications and appliances that get generated in my 9-5 every day.  You can use Splunk to build dashboards which are typically better than the ones that come with the product ( full size )  I've started to pull together all the searches, notes and bits of code into a sort of security cheat sheet which I thought would be a good thing to share as well as providing some real world examples of how you might use Splunk in a security context.  Cheat Sheet I'm actively working back through my notes and adding to this all the time so it might be a good thing to reference via the URL or re-visit from time to time. I'll t
Read more

Developing Leeds Scene

Image
Conscious that it's been some time since I wrote a post so I thought I'd write a little something about the developing Leeds 'scene' since co-founding DC151 and helping (albeit a little) with BSides Leeds.  DC151 (Every 2nd Wednesday) I'd complained for years that Leeds had no regular social gathering for people like us so when Mark C  announced BSides Leeds and everyone looked this way I picked up the phone and start texting. After some hurried planning I agreed a format and charter with Matt  and we committed to a date for the first gathering, October 11th. We gave ourselves around two months to sort everything, including finding a venue.  So far we've now held four gatherings and I couldn't be happier with how it's worked out. We've had to learn as we go and tweak the format along the way.  We've had some great talks and we continue to receive  support and attract interest beyond LS1.  If you're interested in com
Read more